bitcoin-dev

Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility

Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility

Original Postby Chris Belcher

Posted on: June 5, 2020 22:39 UTC

In a conversation about CoinSwap protocol, it was noted that a chained/routed swap may have funding transactions that appear onchain in a particular order, which could be used to derive the order of swaps.

Further analysis revealed that using RBF and knowledge of the hash preimage, an attacker could steal both their own and the counterparty's funds. Therefore, it is advisable for a CoinSwap peer to wait for the other side's funding transaction to confirm before broadcasting their own. Additionally, it was suggested that nLockTime-protected Backouts could be employed to allow everyone to recover their funds unilaterally in case one of the funding transactions do not confirm, thereby removing the lack of encumbrance in the LTC-side output of SAS and bringing the fiddly timing details off-chain where it is less visible to observers. However, this approach is also vulnerable to an attack where Bob can't get his money back once the second pre-signed transaction exists, making him lose unilateral control over those coins.